From 29a5c04c2e514b4ed79451f6322f943fb186dd70 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 25 Oct 2022 15:35:37 -0700
Subject: [PATCH] add test case

---
 certs/ocsp/include.am              |   3 +-
 certs/ocsp/renewcerts.sh           |   1 +
 certs/ocsp/test-multi-response.der | Bin 0 -> 1961 bytes
 tests/api.c                        |  60 +++++++++++++++++++++++++++++
 4 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 certs/ocsp/test-multi-response.der

diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am
index 92a72b81e..1b663075f 100644
--- a/certs/ocsp/include.am
+++ b/certs/ocsp/include.am
@@ -35,4 +35,5 @@ EXTRA_DIST += \
         certs/ocsp/root-ca-cert.pem \
         certs/ocsp/test-response.der \
         certs/ocsp/test-response-rsapss.der \
-        certs/ocsp/test-response-nointern.der
+        certs/ocsp/test-response-nointern.der \
+        certs/ocsp/test-multi-response.der
diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh
index d5d411953..22103c4d0 100755
--- a/certs/ocsp/renewcerts.sh
+++ b/certs/ocsp/renewcerts.sh
@@ -87,6 +87,7 @@ PID=$!
 
 openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify
 openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify
+openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -cert ./intermediate2-ca-cert.pem -url http://localhost:22221/ -respout test-multi-response.der -noverify
 kill $PID
 wait $PID
 
diff --git a/certs/ocsp/test-multi-response.der b/certs/ocsp/test-multi-response.der
new file mode 100644
index 0000000000000000000000000000000000000000..09ea5d1bea2e1bf1232283e7312bd64d5bf67442
GIT binary patch
literal 1961
zcmXqLVqeO|$grS^eV#!R`z$t2Z8k<$R(1nMMwTY_ZlF-RK@;QBg^ddh8s`~u8*s8Q
zhqAB<Gld2l3L6N5I2=4&;fci=nR)3Y`FVx{27Dkvb{_WN)WnjKoK%<y7Y}=Reok6&
zu#cgLfe=UyHxIXKUV3I;YHATsv!T3!EJ&1@M+~Y?!QVMJKp`l#xFA0-CAA2wfK#i@
zqwPB{BPXMnKxSTAz5_^YadD1ba(=D^zmb8Fk)eT+sga?HnW0gXLE{O7Bm*m;n_0E_
zn3<$l8CXPIR@}b0XF6B2b+q9upB<Ni%tgC8SVW39$Sl!sI(^=Ksm1jTEKOE*MWTvK
zjEoHo7-lXI1PhrOm>U_wtf9mXCgSW^sBEBUAdiR~CKe$Ufmdl8%tEz$S0?}Q4Rrf+
z>8AlN8!UVnxmg*Qn;01xJih%`pKHz@{_e@&*4Ae?JeQu;{Fh>+ZN4VpjKD<BS5EI<
zygJKt?UQ$+v`&XrZN64&-GuISItpHUWzKJlOF6sq@ry+*heUPne@eI5rhQ=Hw@aFa
zLC;Hr_Bgs8|8he~$;627%g!gdSLW?u^{TyDWb%EPL8xyH@1b4#GxQc$I>bG5&nPcn
zelS#Z(v^D`RtD<oYC12?*y{B<c737gx2C;%FMjN16ORh6Y_vG)S<S1bR%5EU<Lk@s
zmA6tQWV6aemH$p?TT^!CmA}Ku^IT85=M;;&JBWv9Sbe=ETXJt_+1=%$qRJVa#uI8@
zOnB#1(C%8x#>b@Pz4YD6YZk{;n>d&8DlBMXIcCtratMg`88k63Tfof3$i&3Rf)-W=
zjniqGxFrn4Ac>nFmbi=Z^Gg(*9SNpt137VClvEAmqNKjTo-KjJhZ1sVGlEklKLb#l
ziwTrOckEK$^6hZ7$l)blWfK>El}p~)s%#RF`=e%27fbim(iq+E$sHHjt6p)tnrgq6
z->9@@ilfD&xh2=S4U_}|kKR6I@236lX_UQVNqXtjl~b-Be&_U~_w}Ty4{xS!cRnI<
zPpo0WITcgIBcW@e0w3t<Zsv;e_bN6Fc;_Xy*Rp#pt4I6BnU4gPvlXSEin%y_?}?9P
zKOT6!*)#b|nvX`|#T#kNTP7In7T@r1`d7IZ$75%A3rY&vtZpi-_`lBHXcI@_Cg~pa
zHG(^CID4MoP_Xes&$?SG?c&xqSW<Hs$^zbta$Mh1oS`PtKJ{>XUgD1SmR}80T-`H1
zKmPCMB9mHDQy7x^)RKvrk%4hBFf@Q6!Uis2WrbOo3>d)Wp)4PZ7>kHe`ooQtmm2@f
zSLP{j2-xZtw!^^8pz#PWNy#d+H108I+}VJ&3|rVZcS+-{!JD|77?TZzLB3FB;W6N1
z<ABsX%$&&S1y+)Ehum8n$k(!`vFam#+$vxFmy-ogs{RmuZglrWZ}hDCTb#Nl`tR46
z?GR$_X8Gw;Xu3L|ZBfz0CGJwT)(iK{-Me&ikKAVY70-fI`_rc__{W)P)9jGe#8mpZ
z*43yn*y-l6m`4h)FZ=Ie+86b{D_QeVNMRE99>u>2bDlq36#S^>lGE?JZ&z#_C7be9
z&QI$6^3&kgyu`Kt|M7jDAFE!MH2a0?(H{Z({A>1z=CJH7(px;&wJhxSCpNFR56c=p
zyBFwQ^VZ$W*L-S9P8-W5Kha61A<-*8?A!3;UGT|zp)1N=^Li)fr?Gt~@Awll_lEVE
ZN5%)<9L@94(u$0~&GxLuRqjfUA^`uBr49f9

literal 0
HcmV?d00001

diff --git a/tests/api.c b/tests/api.c
index 9a0fc101d..bcdadc575 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -1672,6 +1672,7 @@ static int test_wolfSSL_CheckOCSPResponse(void)
 {
 #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL)
     const char* responseFile = "./certs/ocsp/test-response.der";
+    const char* responseMultiFile = "./certs/ocsp/test-multi-response.der";
     const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der";
     const char* caFile = "./certs/ocsp/root-ca-cert.pem";
     OcspResponse* res = NULL;
@@ -1720,6 +1721,65 @@ static int test_wolfSSL_CheckOCSPResponse(void)
     AssertNotNull(res);
     wolfSSL_OCSP_RESPONSE_free(res);
 
+    /* check loading a response with multiple certs */
+    {
+        WOLFSSL_CERT_MANAGER* cm = NULL;
+        OcspEntry entry[1];
+        CertStatus status[1];
+        OcspRequest* request;
+
+        byte serial[] = {0x02};
+
+        byte issuerHash[] = {
+            0x44, 0xA8, 0xDB, 0xD1, 0xBC, 0x97, 0x0A, 0x83,
+            0x3B, 0x5B, 0x31, 0x9A, 0x4C, 0xB8, 0xD2, 0x52,
+            0x37, 0x15, 0x8A, 0x88
+        };
+        byte issuerKeyHash[] = {
+            0x73, 0xB0, 0x1C, 0xA4, 0x2F, 0x82, 0xCB, 0xCF,
+            0x47, 0xA5, 0x38, 0xD7, 0xB0, 0x04, 0x82, 0x3A,
+            0x7E, 0x72, 0x15, 0x21
+        };
+
+        XMEMSET(entry, 0, sizeof(OcspEntry));
+        XMEMSET(status, 0, sizeof(CertStatus));
+
+        AssertNotNull(request = wolfSSL_OCSP_REQUEST_new());
+        request->serial = (byte*)XMALLOC(sizeof(serial), NULL,
+                                     DYNAMIC_TYPE_OCSP_REQUEST);
+        AssertNotNull(request->serial);
+
+        request->serialSz = sizeof(serial);
+        XMEMCPY(request->serial, serial, sizeof(serial));
+        XMEMCPY(request->issuerHash, issuerHash, sizeof(issuerHash));
+        XMEMCPY(request->issuerKeyHash, issuerKeyHash, sizeof(issuerKeyHash));
+
+        AssertNotNull(cm = wolfSSL_CertManagerNew_ex(NULL));
+        AssertIntEQ(wolfSSL_CertManagerEnableOCSP(cm, 0), WOLFSSL_SUCCESS);
+        AssertIntEQ(wolfSSL_CertManagerLoadCA(cm, caFile, NULL),
+            WOLFSSL_SUCCESS);
+
+        f = XFOPEN(responseMultiFile, "rb");
+        AssertTrue(f != XBADFILE);
+        dataSz = (word32)XFREAD(data, 1, sizeof(data), f);
+        AssertIntGT(dataSz, 0);
+        XFCLOSE(f);
+
+        AssertIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data,
+            dataSz, NULL, status, entry, request), WOLFSSL_SUCCESS);
+        AssertIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, data,
+            dataSz, NULL, entry->status, entry, request), WOLFSSL_SUCCESS);
+
+        /* compare the status found */
+        AssertNotNull(entry->status);
+        AssertIntEQ(status->serialSz, entry->status->serialSz);
+        AssertIntEQ(XMEMCMP(status->serial, entry->status->serial,
+            status->serialSz), 0);
+
+        wolfSSL_OCSP_REQUEST_free(request);
+        wolfSSL_CertManagerFree(cm);
+    }
+
 #if defined(WC_RSA_PSS)
     {
         const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der";